Massive security gaps discovered in building access systems

They are supposed to control who can enter a building – but all too often these access systems are a gateway for cyber criminals. This is the conclusion reached by researchers from the IT security consultancy Modat. The extent of the problem is enormous.

The Dutch company published a study in which around 49,000 incorrectly configured access systems, or access management systems (AMS), were identified. They are spread across various regions of the world and sectors such as construction, healthcare, education, manufacturing, the oil industry and government institutions. The authors speak of a global problem.

Fatal AMS errors

AMS authenticate their users with methods such as passwords, biometrics or multi-factor authentication and authorize their access rights based on set policies. If they fail, this causes two central problems. Firstly, unauthorized persons can gain access to the buildings. Secondly, the faulty systems provide unauthorized access to all kinds of sensitive data.

And this should not be underestimated: Employee photos, full names, identification numbers, access card details, biometric data, vehicle license plates and in some cases even complete work schedules and access data to facilities were unprotected in various cases, according to the researchers. The biometric data that was accessible in some modern AMS was particularly sensitive. All of this is an attack surface for phishing, identity theft, social engineering and other forms of fraud to siphon off sensitive data.

Most cases are concentrated in Europe, the US, the Middle East and North Africa. The countries with the most faulty devices were Italy (16,678), Mexico (5,940) and Vietnam (5,035). Germany is not explicitly mentioned in the study and does not appear in the top 10; India is in 10th place with around 1,070 cases. The study does not mention which access systems of which manufacturers are affected.

(nen)